Commits
- Commit:
f7eb3370fd07878c7c3a6f1470243c791f38f8a9
- From:
- Stefan Sperling <stsp@stsp.name>
- Date:
make gotd store own PID after daemon(3), and avoid calling daemon(3) needlessly
ok op, jamsek
- Commit:
b5225f29d85b32692bdfed88b3e93babf8269494
- From:
- Omar Polo <op@omarpolo.com>
- Date:
gotd: disconnect on client EOF too
Otherwise gotd keeps the (client-closed) sockets around and may prevent
new connections from being established since they still count for the
limits.
ok jamsek, stsp
- Commit:
e9e01966df9e3fe005d0e7c8abcc92134838eaf9
- From:
- Stefan Sperling <stsp@stsp.name>
- Date:
document the gotd -n option
- Commit:
abe844e2dfc7056150889993b3568fe400af7358
- From:
- Omar Polo <op@omarpolo.com>
- Date:
gotd: move socket path check to parse.y and error from the main process
It's handy to have a "bad unix socket path" error being reported
directly from the main process since can get caught by `gotd -n'.
ok jamsek stsp
- Commit:
809a54db7c7cec54dcacb53f62eedecc18a833da
- From:
- Omar Polo <op@omarpolo.com>
- Date:
gotd: move nrepos check to parse_config
ok jamsek stsp
- Commit:
f4e8c21cb2dc6a468bae32a4dcf3a9e18f269527
- From:
- Omar Polo <op@omarpolo.com>
- Date:
gotd: print configuration errors without -d
Defer the absolute path check on argv[0] and log_init so that it
becomes possible to run `gotd -n' to check the configuration file and
get errors without specifying -d. Erorrs in the configuration now are
actually always printed regardless of -d.
While here also tweak an error message and print 'configuration OK' if -n
ok stsp@
- Commit:
f7a854cff3b036707a2322ebff8540f29561a8a5
- From:
- Stefan Sperling <stsp@stsp.name>
- Date:
use just one pointer variable to keep track of a client's repo process
ok op@
- Commit:
eac23c306591c21ddaa23930159d302f668ae34c
- From:
- Stefan Sperling <stsp@stsp.name>
- Date:
update client state tracking in the gotd parent process
The session process takes over the old state definitions under
a new name ("session state"). The parent only needs to keep
track of whether a client has been granted access, so it only
uses two states: NEW, and ACCCESS_GRANTED which is set as soon
as the auth process has granted repository access and before
the session and repo_read/repo_write children are started.
Because 'gotctl info' can no longer observe the session state
remove support code for printing it.
ok op@
- Commit:
ee0b2e502f3be1d01835e96bdcd38afed67429f7
- From:
- Stefan Sperling <stsp@stsp.name>
- Date:
remove support for showing client capabilities in 'gotctl info'
The gotd parent process has lost access to client capabilities.
Take the easy way out and remove related code. If needed, client
capabilities can still be found in the debug log with 'gotd -v'.
ok op, jamsek
- Commit:
4da0355e93f589e30bffceac65bfb1a6f2395f36
- From:
- Stefan Sperling <stsp@stsp.name>
- Date:
remove now unused fields from struct gotd_client
- Commit:
ae7c1b785440d9b4e2289d935ca85725f45680f1
- From:
- Stefan Sperling <stsp@stsp.name>
- Date:
add a gotd session process, split off from the parent process
The new session process is able to manipulate files in the repository
and keeps track of the read/write client session state.
The parent process now restricts its view of the filesystem to the
absolute path stored in argv[0], and combines this with unveil "x"
on this path. As a result the parent process can only re-exec itself.
small tweaks + ok op@
- Commit:
9b7f22a6148eb14af6e59de120bb5b1dd0e05469
- From:
- Stefan Sperling <stsp@stsp.name>
- Date:
call realpath() during early startup in gotd's parse.y
This ensures that all repositories exist when the process is first started.
It will also help to avoid an "rpath" pledge promise in a future gotd which
uses a separate session process, by avoiding realpath() calls while starting
new processes.
- Commit:
e34d12854902b472e38f40dbc4e1e44acf093240
- From:
- Stefan Sperling <stsp@stsp.name>
- Date:
do not treat nonexistent repositories as a fatal error in gotd
- Commit:
c7224e4126f5079e0dcb5b29b8ddb14c242a6c0b
- From:
- Omar Polo <op@omarpolo.com>
- Date:
gotd: delete unreachable code after gotd_shutdown()
- Commit:
77f619a8442c52e9c02e8060b76c25def0b5f1c6
- From:
- Stefan Sperling <stsp@stsp.name>
- Date:
revoke filesystem access in gotd listen process via unveil(2)
This should avoid involuntary use of bind(2) with arbitrary socket paths.
ok op@
- Commit:
7843333165edf3bdaa739cd96c701e1b7d53aa81
- From:
- Stefan Sperling <stsp@stsp.name>
- Date:
expose 'gotctl info' output only to the root user
Now that anyone can connect to the socket, it is probably safer to
expose information about currently connected clients only to root.
- Commit:
6f854dde056f82d0c757c720beed863fc557a1ca
- From:
- Stefan Sperling <stsp@stsp.name>
- Date:
remove the gotsh group requirement from gotd; any user can now connect
Repository access is now controlled by access rules in gotd.conf,
and concurrent connections to the gotd socket by local users are
limited by the listen process. We should keep refining our anti-DoS
measures in the future, but at least we have something in place now.
ok jamsek, op
- Commit:
40b85cca5d86ebef3a353efd464af989c3ebf18b
- From:
- Stefan Sperling <stsp@stsp.name>
- Date:
introduce connection options to gotd.conf
Allow administrators to tweak the default authentication and request
timeouts if needed, and to tweak the limit of concurrent connections
for specific user accounts.
with several tweaks from and ok op@
- Commit:
77d0cae1993d80e742dbcf69ace80700ed616831
- From:
- Omar Polo <op@omarpolo.com>
- Date:
fmt
- Commit:
7fdc3e586448ae55ae38bef76bb5a0a34538e5e6
- From:
- Mark Jamsek <mark@jamsek.dev>
- Date:
gotd: nix trailing whitespace and indentation fix
ok op@, stsp@
- Commit:
44587340e4924f8f07bf02c57a9a1c2527c2d8d4
- From:
- Stefan Sperling <stsp@stsp.name>
- Date:
remove filesystem access via bind(2) from gotd auth process
op@ pointed out a problem in my initial patch where I forgot
to call unveil(2) with a path before unveil(NULL, NULL).
ok op, jamsek
- Commit:
365cf0f34d08316d433e730a8663283029f729b3
- From:
- Stefan Sperling <stsp@stsp.name>
- Date:
move "unix" pledge promise from gotd parent to auth process
The listen process now communicates the client UID/GID to the parent,
and the auth process verifies this on behalf of the parent.
This allows us to remove the "unix" pledge promise from the parent,
removing parent access to syscalls such as listen() and accept() in
the AF_UNIX domain.
ok tracey@ op@
- Commit:
ef4e2f01b0bff14f003a72321ce0165a0df72fa1
- From:
- Stefan Sperling <stsp@stsp.name>
- Date:
fix gotd authentication timeout
The authentication timeout was accidentally overriden by the request timeout.
Fix this and set both timeouts in the same place for clarity.
ok op@
- Commit:
5e25db14db9eb20ee11b68048b45b3e0f54d50eb
- From:
- Stefan Sperling <stsp@stsp.name>
- Date:
run gotd authentication in a separate child process
ok op@
- Commit:
b50a2b4639132c68255480f1c5c8785fd7cd8094
- From:
- Stefan Sperling <stsp@stsp.name>
- Date:
fork gotd repo_read/repo_write children on demand
ok op, jamsek